WordPress.org

Plugin Reviews

Limit Login Attempts

Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable.

134516

158 reviews
Average Rating
4.7 out of 5 stars
Super filter!
By ,

The best instrument against brute-force!

Great plugin
By , for WP 4.0

Thanks for sharing this for free. A life saver.

Works Perfectly
By , for WP 4.0

This plugin does exactly what is says it will. Thanks :)

Simple & Effective
By , for WP 4.0

I use this plugin on most of my sites. It is simple and effective. I don't like having those "all in one" security plugins overloading my WP installs. This plugin is the only security I use.

great work really
By , for WP 4.0

thank you so much for this great plugin.. my website ( http://www.ultrasoundtechniciansalaryusa.com/ ) is getting better and better with this plugin..

thanks a lot

works with 4.0
By ,

I found no problems in 4.0

Works great with WP 4.0
By ,

Works great with WP 4.0

Still works fine..
By , for WP 4.0

I already upgrade my wordpress to 4.0 and it's still work fine.. thx to johanee

extremely useful!
By , for WP 4.0

This plugin saved me from 4800+ false logins in the last 48 hours. I only wish I could download the log file so I could add those IP's to my blacklist.

Mysteriously Broken
By , for WP 4.0

Even though this plugin is no longer under development, it is still being recommended. Unfortunately, I have found some problems with it, and there appear to be at least 2 work-arounds that the script kiddies have found to defect the protection offered by this plugin. I would warn folks NOT to rely on this plugin -- here is an example of a fairly big security hole. Here are two emails I got from limit login attempts yesterday:

WordPress 2:59 AM (16 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

WordPress 10:45 AM (8 hours ago)
to me
4 failed login attempts (2 lockout(s)) from IP: 104.194.25.135
Last user attempted: [my admin account name]
IP was blocked for 72 hours

If you look carefully, you will see that the IP was *NOT* blocked after two lockout for the 72 hours that I had set up when I installed it.

I also discovered that using xmlrpc.php appear to circumvent limit login attempts, so I added this to my .htaccess file:

<Files xmlrpc.php>
Order Deny,Allow
Deny from All
Allow from [my IP address]
</Files>

That apparently wasn't enough, so I added this:

order allow,deny
deny from 104.194.25.
allow from all

I suspect this is a temporary solution, since the script-kiddies have learned how to spoof IP addresses at will.

This plugin gives only a false sense of security in the escalating battle with the blackhats, and the obvious flaws in the plugin lead me to consider it not worth my trust, and leads me to warn others away from it.

Right now, I don't have enough understanding of how things work with WP to go in an try to fix these problems (if they are actually fixable on this level, which is not a forgone conclusion), so I'm still looking for a better approach.

I have installed Ninja WP Firewall, which cut the brute-force attacks *way* down, but did not eliminate them (from over 1000/day, enough to may the site unusable, to fewer than 5 a week). Since there are a few brute-force attacks are still getting through, I predict that whoever discovered the work-around will be selling it to the script-kiddies soon, rendering Ninja WP Firewall essentially useless -- but at least it is still under active development.

Even though I don't expect brute-forcing my very long, randomly-generated password to succeed, 1) the attacks are a damned nuisance, and 2) I am fearful that there may be other security holes I currently don't know about.

There are a few sites on which I am the only person with a login, and I use .htaccess to whitelist my IP. For now, that works pretty well. Next thing to try is to password-protect the wp-admin directory of the sites with more than one user. That will make things less convenient for me as well as the other users, but less so than having to clean up a hacked site.

You must log in to submit a review. You can also log in or register using the form near the top of this page.